Throughout history, crises have been good times for opportunists. Taken to the extreme, for scammers, scammers and criminals. The current crisis caused by the COVID-19 pandemic is no exception, and cyberspace is proving to be the new playing field in which this type of unscrupulous people exclusively seek their own benefit.
Almost everyone has ever heard the term social engineering. These types of techniques, widely used by cybercriminals, exploit the weaknesses of people and their psychology instead of focusing on exploiting technological vulnerabilities. Attackers use them so much because they usually work very well (they allow them to achieve their objectives in a reasonable time), they usually involve little risk to them and, in addition, they usually pose very low costs.
The bad guys go fishing
One of the most widely used techniques in social engineering is phishing. This type of technique tries to get us to bite the hook: we receive an email, a message from any instant messaging application or social network, an SMS, or a phone call. The idea is that it seems legitimate to us that comes from a trusted source, and that we carry out one of these three actions:
- That we provide sensitive data or information. The attacker almost always wants us to reveal a password or password, although they may also be interested in banking information such as our credit card or account number, for example.
- That we click on a link. In this case, the objective is usually to direct us to a web page controlled by the attacker. It can be a page that supplants a legitimate one (that of our bank, our portal for teleworking, our college or university, a social network) to try to make us not realize this impersonation and to interact with the web as if it were the real one. . This allows the attacker to obtain sensitive data or information as well. The other possible objective is to infect us with some type of malware on this website.
- That we download or open some type of file. In this case, the goal is usually to get infected with malware again.
Phishing campaigns are usually in addition to two types. The first type, generic campaigns, are aimed at the entire public and play with probability. If, for example, a million emails are sent and it is known that around 3% of the people who receive them will open them and click on the link, this means that the attackers will be successful 30,000 times. And it works with little-worked campaigns regarding the design of the email, the address of the sender and the writing of the message.
The second type is campaigns directed at a specific person or group of people. In these cases it is sought that the hook or hook (the mail, the message, the call, etc.) is very credible for that person or people, so the attacker has to work harder to build trust in his victim and to fall in his deception.
Why do we keep biting?
Social engineering is based on six fundamental principles, which are what make it work: reciprocity, commitment and consistency, group membership, the need to please, obedience to authority and scarcity.
Cybercriminals are taking advantage of the fact that these principles, which always work, work even better in times of crisis. It is easier to arouse a feeling of urgency in victims because they are nervous or more sensitive, hungry for information or tools to communicate with others, concerned about the possible shortage of certain resources, etc.
Let’s analyze some examples that we are observing these days:
- A multitude of campaigns is being created that simply offer supposed information about vaccines, treatments or the very expansion of COVID-19 (with maps and other graphic tools, for example). By accessing this information, offered from malicious web domains that have been created at full speed these days or directly in the attached documents, many victims are becoming infected with malware. In many cases, ransomware that encrypts data from their devices (and decrypts it in exchange for a ransom) or banking Trojans, which steal sensitive information from them when they operate with electronic banking.
- The same goes for apps that supposedly offer self-diagnosis, real-time information about the pandemic, or recommendations from the authorities and that are actually stealing information from victims’ devices. In many of these campaigns, to build confidence in the victims, the attackers try to impersonate trusted entities: banks, official organizations, NGOs. Even to the World Health Organization.
- We have also started to observe campaigns in which, supposedly, gyms, schools, banks, energy companies, e-commerce stores or courier companies, etc. They offer to reimburse your money because in the month of March you could not fully enjoy the services you had contracted with them. Or that they simply offer you some kind of offer or discount for the month of April. To enjoy these benefits, they ask for your bank details or redirect you (supposedly) to their systems so that you can take the necessary steps.
Beware of our data and those of work
Keep in mind that if all this is critical when we are talking about personal data and devices, it can be even more so when through a victim you commit to an entire organization (now that many of us are teleworking). That it can even be a hospital or a critical infrastructure for the population.
So, as we are doing with confinement, we have to be responsible, for ourselves and for others. We have to protect ourselves to protect those around us, be alert and follow all the advice that is being provided by organizations such as the National Cryptological Center, INCIBE or the USA Agency for Data Protection. Let’s be careful and apply common sense.